Analysis
-
max time kernel
140s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24-06-2024 09:09
Static task
static1
Behavioral task
behavioral1
Sample
c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe
Resource
win10v2004-20240226-en
General
-
Target
c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe
-
Size
632KB
-
MD5
222831dc032b9cd1dad652a777419574
-
SHA1
37d45f0c42caddf9516b715bbec8db679ff3cff9
-
SHA256
c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7
-
SHA512
2f9778d283d5cb7467332924f7fef8e1e576a41fa4c572e6786632444f9aa82de31873e711324170e46cb7bb893ce0fa43e27d7608fa94a40eeecf4dd07a8039
-
SSDEEP
12288:wRWNcr8oxnLUiPclPA0DCQLsehJA3LQiEorgiYSsrGhtcLQaX:TNBILVIoQCoRJAke1rsrQtsJ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe -
Executes dropped EXE 2 IoCs
Processes:
UnRAR.exemd5.exepid process 364 UnRAR.exe 4572 md5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4036 4572 WerFault.exe md5.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.execmd.exedescription pid process target process PID 4292 wrote to memory of 3620 4292 c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe cmd.exe PID 4292 wrote to memory of 3620 4292 c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe cmd.exe PID 4292 wrote to memory of 3620 4292 c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe cmd.exe PID 3620 wrote to memory of 364 3620 cmd.exe UnRAR.exe PID 3620 wrote to memory of 364 3620 cmd.exe UnRAR.exe PID 3620 wrote to memory of 364 3620 cmd.exe UnRAR.exe PID 3620 wrote to memory of 4572 3620 cmd.exe md5.exe PID 3620 wrote to memory of 4572 3620 cmd.exe md5.exe PID 3620 wrote to memory of 4572 3620 cmd.exe md5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe"C:\Users\Admin\AppData\Local\Temp\c7178b77eb74b0e4c0da1f35482ce140f5ee4bda0b6f806e8c29088812b0c3d7.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\UnRAR.exeUnRAR.exe e -p83102a md5.rar3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\md5.exemd5.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 6004⤵
- Program crash
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4572 -ip 45721⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\UnRAR.exeFilesize
299KB
MD5f9388c6824adabb36596642ebc368db7
SHA17cf300de45e497224b4ee3a2891d961bb38cc7a0
SHA2563a8020a4a16ea37a9d6fac6bbc8345e54dea92c247f4b9d630bc32780faf4dee
SHA512db0c19d2d8e8d8879095e65f6d2216f32ed29f0832dc53023ac2c1bc3558330e7ad12cee4e74ca5bf6e65c3133b0b6f220eed9bb702e5022808f585bfcf26001
-
C:\Users\Admin\AppData\Local\Temp\cmd.batFilesize
102B
MD5d357b49de1eff9c0b92779cc4b976a81
SHA10662a967d7b462f7170882eebce4068f7a4c0fac
SHA25664c2fd677a11e309a5eb51d83eac7295be72ddca5ca234e57c3e49621f0b416d
SHA512f75903dbc4bad5e0a6b380723dc06047bdbf6da978ee2dd088231dfac761292e2d9bb762e6f5db02e50a0c26dff7836746c110e01381d0c6c1e7bcc1b9e4eeb0
-
C:\Users\Admin\AppData\Local\Temp\md5.exeFilesize
423KB
MD5199962380ea67533cbf4e28873b2444f
SHA194794d37c012a2ebff519a5a04cc38b2dd1b51f4
SHA256551dd2d44ed5c9eea686678c540851abfcccbf8ea12d669c291fc3465e708437
SHA512de4959fab7e6c0bd9b505b9e4303877bf68a427295257d93d13ea1d4de021c8a172d807f8a824f7d2f70a184b299f503fc450d070997e98ea3294abec2c30677
-
C:\Users\Admin\AppData\Local\Temp\md5.rarFilesize
300KB
MD5e68d6b097b47a80437a47cf4a3125341
SHA158bbfffbe452b71dea2df8d72ae9fbfd16d540f7
SHA256df4ea1e37bbcf10c31548a309334b740e6dd16fd159e14c501ce6eebafe6fe39
SHA51277264d9b87f11930c42f56cb9cd03419eee0e44ea6965f5ed05f90bb802da6f2fbd0118aeb01780eff44cba26f686a1692286fc57ae22e0305890b7a40b5934a